Who's Responsible for Protecting Data in the Cloud?by
When it comes to storing data in the cloud, companies too often take security for granted, says Mario Santana, who handles security for Verizon Communications‘ data-storage division.
Some businesses mistakenly assume that once they opt to store data on outside servers instead of their own, they no longer have to concern themselves with safeguarding that information, he says. “I’ll run across a problem and point it out as a courtesy, like, ‘Hey, you should fix this,”‘ Santana says. “They’re surprised. They had just expected that they wouldn’t have to deal with anything.”
The biggest threat to data stored remotely, it turns out, may be the failure to understand who’s responsible for keeping it protected. As demand for cloud services surges and cyberthreats become more acute, Verizon and other providers, such as IBM, are taking steps to help clients get a better handle on who’s in charge of security.
IBM tailors agreements to a client’s distinct requirements, says Ryan Berg, a cloud security strategist at IBM. Some contracts go into great detail, while others hardly mention security. “We’re trying to get them to understand where along the line that responsibility changes,” Berg says. “In the event that something does happen, what is the communication line? Who fixes it?”
One challenge to standardizing cloud security practices is the sheer variety of cloud offerings, he says. The term refers to a wide range of computing—from buying server space from a startup to leasing software applications and getting them delivered over the Internet from a provider such as Salesforce.com. The servers might be housed in a nearby city, another state, or even another country governed by different data regulations. About 74 percent of security providers say more training is needed for cloud issues, according to a 2011 report by consultants Frost & Sullivan in Mountain View, Calif.
Adventist Health System, which operates 43 health facilities and needs to follow strict regulatory requirements for safeguarding health data, is looking to move at least its e-mail system to IBM’s cloud. Sharon Finney, the corporate data security officer for Adventist Health System Altamonte Springs, Fla., says she’ll lean heavily on IBM to keep the information secure. “If I want to retain all of that liability, all of that control, then there’s no cost benefit to me putting data in the cloud,” Finney says. “It’s the cloud provider’s infrastructure. I would look to them for security.”
Even so, Adventist Health might still have to take responsibility if one of its employees caused a breach, she says.
Joe Coyle, the chief technology officer of Capgemini North America, created a service that weighs about a thousand factors to help companies decide whether they should migrate to the cloud, and if so, what kind of cloud. After all his analysis, and after assigning the appropriate kind of cloud, he says he still spends the most time on an issue not in his model: reminding companies that putting their data with a cloud provider doesn’t mean they can forget about it.
“They say they’re getting rid of their IT department,” he says. “I say, ‘No. You still have to do this.”‘